Logging Controls

Auditing Best Practices › Logging Controls

Logging Controls

We recommend that the security administrator use control options, user-based controls, and entitlement-based controls to control logging based on the business needs of the installation.

Business Value:

Event logging helps ensure that your site enforces policy, but logging does add costs in terms of processing path length, data repository size, and so on. Consider this potential overhead when you determine which logging controls to activate.

Additional Considerations:

Periodically review these controls to ensure that the requested logging controls remain valid and support business objectives, security policy, and site requirements.

The following global control options help you customize when and how you capture data to logs:

ADMINBY

Logs information in ACID security records to indicate the following actions:

Administrative ACID who performed the change
Date, time, and system SMFID where the change was performed

LOG

Allows you to note the following actions:

Identify the types of events that CA Top Secret for z/OS logs
Specify whether the events are logged onto the audit tracking file, system management facility (SMF), or both
Specify if the violation message is displayed

The LOG option affects all facilities.

SECTRACE

Activates a diagnostic security trace on the activities of all defined users or of specific users.

By default, CA Top Secret logs failed access attempts. A security administrator can also specify ACTION(AUDIT) in a PERMIT command to cause logging records to be written. In addition, logging occurs when resources that are added to the AUDIT special ACID are accessed.

You can log all activity for a user by using one of the following ACID attributes:

AUDIT: Specifies an audit ACID activity.
TRACE: Activates a diagnostic trace on all ACID activity, such as initiations, resource access, violations, and user security mode.

Consider the role that special privileges play on an individual user level and their impact on logging. CA Top Secret for z/OS generates special log entries based on the following ACID privileges:

NODSNCHK: Specifies that no data set name checks are performed. CA Top Secret for z/OS bypasses all data set access security checks. Auditing occurs.
NOLCFCHK: Allows an ACID to execute any command or transaction for all facilities, regardless of Limited Command Facility (LCF) restrictions. If the NOLCFCHK attribute is in an ACID, that ACID's terminal cannot be locked. Auditing occurs.
NORESCHK: Allows an ACID to bypass security checking for all owned resources except data sets and volumes. Auditing occurs.
NOSUBCHK: Allows an ACID to bypass alternate ACID usage and all job submission security checking. Associated ACIDs may submit all jobs regardless of the (derived) ACID on the job statement being submitted. Auditing occurs.
NOVOLCHK: Allows an ACID to bypass volume level security checking. Auditing occurs.